Your Fly Is Open

Netmenaces and Other Internet Stupidity

400

2025-09-28 3 min read Attacks

Did you really think I would stop when I got to 365?

For some time now, I’ve been writing about a New Year’s resolution I made to find and notify at least one organization per day about their compromised web servers in 2025. In my last update, I had just notified the 365th site, back on the 261st day of 2025. That completed my goal - I’d notified one site for every day of the year.

Goal accomplished! Was it time to kick back and relax?

Nope!

It’s now day 271, and I’ve just sent notification number 400.

Over the course of the year, the landscape hasn’t changed much. The internet remains a target-rich environment, and identifying compromised systems remains alarmingly simple. The path of least resistance is still a four-lane highway paved with outdated plugins and neglected content management systems.

The “Million-Dollar” Couch Project

When I wrote the last post, I threw out some conservative financial impact estimates. Now, with 400 organizations notified, we’ve crossed the $1,000,000 mark as a median potential financial impact. All from a retired guy on his couch using Google. It’s a number that feels both significant and deeply concerning. It illustrates the scale of the problem and how a modest amount of pro-bono effort can go a very long way.

The Human Element: The Good, The Bad, and The Confused

The biggest lesson from these last notifications hasn’t been technical. It’s been about the human response. When you tell someone their fly is open, you get a range of reactions. It’s no different in the digital world.

  • The Grateful: The vast majority of people I hear from are appreciative. They’re small business owners who are stretched thin and simply didn’t know. They are thankful for the quiet, non-judgmental heads-up. These are the responses that make the project worthwhile.

  • The Suspicious: A fair number of people are immediately suspicious. “How do I know you’re not the hacker?” It’s a valid question in a world full of scams. It highlights the trust deficit that exists online and makes clear communication absolutely critical. I’ve learned to be patient and provide as much verifiable, non-threatening information as possible.

  • The Silent: And then there are the silent ones - this is the VAST majority of folks I contact. Emails go into a void, contact forms are submitted with no reply. Oftentimes, the site gets silently cleaned up. Sometimes the site remains compromised. This is the most frustrating part. You can lead a horse to water, but you can’t make it patch its WordPress installation.

Why Is This Still So Hard?

The core challenge remains what it was on day one: contact. Finding the right person to receive a security notification is often more challenging than identifying the vulnerability itself. The absence of a simple security.txt file on most websites turns a 5-minute task into a 30-minute investigation. For a business, this is a critical, and easily fixable, blind spot.

This project continues to be a poignant reminder of the vast gap between the technical reality of cybersecurity and the day-to-day reality faced by individuals running businesses online. We’ve got to do better at bridging that gap.

On to notification 500!

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
June 3, 2025

Notification Uh-Oh
© 2025 by Tom Liston
Bilberry Hugo Theme